CVE-2025-61865 is a security vulnerability identified in the NarSuS App developed by I-O DATA DEVICE, INC., affecting versions prior to 2.33. The core issue stems from an unquoted search path or element in the Windows service registration process. Specifically, the service executable path is not enclosed in quotes, which on Windows systems can lead to path parsing ambiguities. If a malicious actor has write permissions on the root directory of the system drive (commonly C:\), they can place a malicious executable in a path segment that Windows will prioritize when resolving the service executable path. Upon service start, this malicious code executes with SYSTEM-level privileges, granting full control over the affected system. The vulnerability requires the attacker to have local access with at least write permissions to the root directory, which is typically restricted but may be misconfigured in some environments. The CVSS v3.0 base score is 6.7, reflecting a medium severity due to the requirement for elevated privileges and local access, but with high impact on confidentiality, integrity, and availability if exploited. No public exploits have been reported yet, but the vulnerability is published and known. The flaw highlights the importance of quoting file paths in Windows service registrations to prevent DLL hijacking or binary planting attacks. The affected product is primarily used in environments where I-O DATA DEVICE, INC. hardware and software are deployed, often in network-attached storage or data management contexts.

For European organizations, exploitation of this vulnerability could lead to complete system compromise on affected devices running the vulnerable NarSuS App. Attackers gaining SYSTEM privileges can manipulate sensitive data, disrupt services, or use the compromised system as a foothold for lateral movement within the network. This is particularly concerning for sectors with critical infrastructure, such as finance, healthcare, and government agencies, where data integrity and availability are paramount. The requirement for local write access to the system drive root limits remote exploitation but does not eliminate risk in environments with multiple users or insufficient privilege separation. Misconfigured permissions or insider threats could exploit this vulnerability. Additionally, compromised systems could be used to deploy ransomware or other malware, amplifying the impact. The lack of known exploits reduces immediate risk but does not preclude future attacks, especially as the vulnerability is publicly disclosed.

Organizations should immediately upgrade the NarSuS App to version 2.33 or later, where the unquoted service path issue is resolved. In parallel, review and restrict write permissions on the root directory of the system drive to trusted administrators only, preventing unauthorized users from placing malicious executables. Implement strict access controls and auditing on systems running the affected software to detect unauthorized file creation or modification in critical directories. Employ application whitelisting to prevent execution of unauthorized binaries. Regularly monitor Windows services for unquoted paths using automated scripts or security tools to identify similar vulnerabilities. Educate system administrators on the risks of unquoted service paths and enforce secure service registration practices. Finally, maintain up-to-date endpoint protection and intrusion detection systems to identify potential exploitation attempts.